Versions Compared

Old Version 11

changes.mady.by.user Viktoryia Varapayeva

Saved on

compared with

New Version 12

changes.mady.by.user Viktoryia Varapayeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NetMRI uses internal and external authentication systems to control user authentication for performing all administrative tasks. For a simple rollout, you can use the NetMRI local authentication database, which is called the local authentication service, where all user accounts and login information are contained within the appliance. You can also link NetMRI to an external Active Directory, RADIUS, TACACS+, LDAP, SAML, or OCSP authentication server or server group in the enterprise network to perform user authentication and authorization for NetMRI tasks, using the same user roles and privileges defined on the local NetMRI system. Doing so requires creating new authentication services in NetMRI.

Anchor
bookmark214
bookmark214

...

In all cases, configuring authentication protocols for the NetMRI appliance requires creating one or more authentication services from the Settings icon –> > General Settings –>  > Authentication Services page:

...

If the Active Directory server authentication uses SSL, upload the Active Directory server's CA certificate to NetMRI. See

To import the AD server certificate, complete the following for directions:

  1. Open Go to the Settings icon –> > General Settings –>  > Security page and then click the CA Certificates tab.
  2. Click Import.
  3. In the pop-up window, enter a descriptive name for the certificate and click Browse to locate the Active Directory server's CA certificate.
  4. Click Import to import the CA certificate to NetMRI.

...

To configure an LDAP authentication service for NetMRI, complete the following:

  1. Go to the Settings icon –> > General Settings section –> > Authentication Services page.
  2. Enter the Name and Description.
  3. Set the Priority and Timeout of the LDAP service.
  4. Choose LDAP as the Service Type. The Service Specific Information pane updates to show the required LDAP settings.
  5. Enter the Base DN value for the new LDAP service (example: ou=management, dc=corp100, dc=local). Users' definitions may be split between two or more Base DNs, so be aware of how the directory service is structured.
  6. Enter the User Attribute. This will typically be cn for 'common name,' which is one of the components of the LDAP Distinguished Name attribute.
  7. Enter the Group Attribute, which will typically be specified as memberOf for NetMRI. This defines the group membership in the LDAP tree for individual user accounts in LDAP. NetMRI uses this attribute to retrieve the LDAP group name to which the users belong. The LDAP group will be mapped to NetMRI users group (see the Remote Groups tab).
    Example:

...

To configure a RADIUS authentication service for NetMRI, perform the following:

  1. Go to the Settings icon –> > General Settings section –> > Authentication Services page.
  2. Click New to add a new authentication service. The Add Authentication Service dialog opens.
  3. Enter the Name and Description.
  4. Set the Priority and Timeout of the new RADIUS service.
  5. Choose RADIUS as the Service Type. The Service Specific Information pane updates to show the required RADIUS settings.
  6. Retain the defaults for the Infoblox Vendor ID (set to 7779) and the Vendor Attribute ID (set to 10). These values are required for operation with any RADIUS server. These values may be set differently but must also be defined in the RADIUS dictionary file.

...

  1. Ensure that all user accounts are defined with their necessary roles in NetMRI.
  2. Go to the Settings icon –> > General Settings section –> Authentication Services page.
  3. Enter the Name and Description.
  4. Set the Priority and Timeout values.
  5. Choose TACACS+ as the Service Type. The Service Specific Information panel updates to show the required TACACS+ settings.
  6. Enter the Service Name and Group Attribute.
  7. Test NetMRI user account settings by entering the User Name and Password and clicking Test. A successful test returns the list of user roles defined in NetMRI for the test user.

...

  • You have enabled ports 443 (HTTPS) and 80 (HTTP) on the firewall to allow NetMRI to communicate with the IDP SAML server.
  • In NetMRI, you have specified the eth0 main MGMT IP address the in Settings - > General Settings - > Advanced Settings - > Configuration Management - > Fully Qualified Domain Name.
  • You have downloaded a valid SSL certificate and private key files from the IDP SAML server and copied them onto your SAML server. You can generate a self-signed certificate and key using OpenSSL at https://www.openssl.org/docs/manmaster/man1/openssl-req.html.
  • On the IDP SAML server, you have configured the following attributes that NetMRI expects in the SAML assertion:
NetMRI SAML Attribute KeySAML Attribute ValueDescriptionExample

uid

username

User name as specified in the IDP user record.

jdoe

urn:oid:1.2.840.113549.1.9.1 or mail

mail

This is the person’s Email ID in the IDP user record.

jdoe@example.com

urn:oid:2.5.4.42 or givenName

givenName

Given name (first name) as specified in the IDP user record.

john

urn:oid:2.5.4.4 or surname

surname

Surname (last name) as specified in the IDP user record.

doe
Group AttributeCustom group attributeUser's relation to the organization or group.

memberOf

eduPersonAffiliation


To configure a NetMRI SAML authentication service, complete the following:

...

To configure an OCSP authentication service, complete the following:

  1. Go to the Settings icon –> > General Settings  –> > Authentication Services.
  2. Click New (the plus icon). The Add Authentication Service dialog opens.
  3. Name: Enter a meaningful name for the OCSP authentication service.
  4. Description: Enter a textual description for the OCSP authentication service.
  5. Timeout: Specify the server response timeout.
  6. Service Type: Choose OCSP.
  7. Disable service: By default, this setting is turned on. When you turn it off, the configured service becomes available on the NetMRI login form. NetMRI validates that the user certificate is compliant with the CA certificate. It also performs a certificate revocation check using the OCSP server.
  8. Click Save.

...

  1. In the Edit Authentication Service dialog, click the Servers tab.
  2. Click New (the plus icon). The Add OCSP responder dialog appears.
  3. Enter the Host/IP Address.
  4. Priority: Choose the priority for the new server in the authentication service. In this context, the priority value determines the order in which servers are queried by NetMRI. A lower value number denotes a higher priority. "1" is the highest possible priority. Only one server should have a "1" priority.
  5. OCSP Certificate: Select a previously imported CA certificate that will be used with the request to the OCSP responder server. You can import certificates in Settings icon -Security -CA Certificates.
  6. Port: Specify the OCSP server port.
  7. Disable server: By default, this setting is turned off to allow NetMRI to check the user certificate for validity.
  8. Certificates: Select the required certificate chain.
  9. Click Save.
  10. Test: Click to test connection to the authentication servers.


    Note
    titleNote

    To additionally check the certificate for revocation, make sure to turn off the Disable service option in the Add Authentication Service dialog described in the previous procedure.


  11. Click Close.